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i Topic 

1.1. Corporate Risk and Opportunity Register update 
2. Objective of this report 


2.1. The objective of this report is for Audit and Risk Committee to 
consider recent updates to the Corporate Risk Register and 
Opportunity Register, following the latest iteration of the Corporate 
Risk Review. 


3, Recommendation 
3.1. That Audit and Risk Committee notes the report. 
4. Corporate Risk and Opportunity Register 


4.1. At each meeting of the Risk and Governance Board, the Board 
conducts a corporate risk review, where risk owners provide 
updates to the risks and opportunities on the Corporate Risk 
Register. The most recent iteration of this took place in October 
2021. This covered risks where, in previous risk reviews, the 
owners had indicated a review during August or September 2021 
would be beneficial. Since the Audit and Risk Committee last met 
in June 2021, there were also iterations of the risk review 
completed in July and August 2021. 


4.2. Since the Committee’s last meeting, the following key changes 
have been made to the risk register: 


e R46 (Financial resilience): The current likelihood of this risk 
was reduced from 4 to 3, and the overall score reduced from 
16 to 12. This reflects the greater certainty over fee income 
in the current financial year. 


e R73 (Compliance culture): following completion of the 
compliance deep dive, which was presented to Audit 
Committee in April, a thorough review was conducted of this 
risk in light of the increased awareness of our lines of 
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defence for compliance controls. This results in both the 
likelihood and impact of the risk being reduced from 4 to 3, 
and the overall score reduced from 16 to 9. This reflects the 
increased certainty we have on the controls in place to 
ensure compliance. Ownership of this risk also transferred 
from Suzanne Gordon to Jo Butler, to reflect that the risk is 
overseen through the Risk and Governance Directorate. We 
have also slightly amended the definition of this risk, which 
is included in the risk register at Annex 1. 


O71 (Online safety): This opportunity has been divided into 
two entries, a risk and opportunity, to reflect the different 
work and issues. The existing opportunity score has been 
reviewed and the likelihood of delivering this opportunity was 
increased from 2 to 3, and the gross rating increased from 4 
to 6 (note: higher scores are better for opportunities). This 
reflects that we are now more informed of the legislative 
framework following publication of the Online Safety Bill. The 
new risk (R93: Online Safety) was scored as a likelihood of 3 
and impact of 3, with an overall score of 9 (amber). Further 
details are provided within the risk register at Annex 1. 


R10 (Statutory Codes): Given the different stages of 
development of the various Statutory Codes, it was agreed 
to remove this risk from the risk register and transfer the 
risks to the Directorate risk registers for those directorates 
responsible for delivering or overseeing the Codes. These 
may be escalated back to the Corporate Risk Register if 
necessary. However, this risk has been replaced with a new 
risk, R92, on Guidance. This is defined as “(Cause) 
Increasing expectations from government and other 
stakeholders to produce guidance that is research led and 
evidenced based, with full economic analysis and formal 
consultation, while being concise and audience targeted, 
leads to (threat) an increased resource demand or inability 
to manage stakeholder expectations for regulatory guidance 
(impact) damaging the ICO’s reputation and relevance as a 
regulator to deliver across all stakeholders, decreasing its 
reputation with government, public trust, influence and 
effectiveness.” At the time of writing, work to score this risk 
is ongoing. A verbal update will be given at the meeting. 
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4.3. 


e R87 (International position): the current likelihood has 
reduced from 3 to 2 and current score reduced from 12 to 8, 
to reflect UK adequacy being approved by the EU. 


e R83 (Staff Wellbeing and Welfare): the Board gave strong 


C 


onsideration to reducing the gross and current likelihood 


from 4 to 3, and reducing the gross and current score from 
16 to 12. This would be to reflect that the impact of the 
COVID-19 pandemic on staff welfare and wellbeing has 
reduced as vaccinations have increased and restrictions have 
eased. However, the Board was decided to keep this score at 
16 at present, until the results of the most recent staff 
survey are known, to ensure statistical evidence supports the 
anecdotal evidence. Results of this survey are expected 
during October 2021, at which point the risk will be reviewed 
again. 


The tables below inform the Risk and Governance Board on 
progress against key risks, please note for threats the highest 
rated are highlighted in the highest rated table and for 
opportunities the lowest scoring is highlighted. This is because the 
scoring mechanism is reversed for threats and opportunities 
(threat risks we wish to reduce the score, opportunity risks we 
wish to increase the score). Annex 1 shows a heat map of the 
threats and opportunities. 


Table 1: Highest Rated Corporate Risks 


Ref | Type Risk Title Rating Direction 
R4 Threat | Capacity and Capability Static Oo 
R83 | Threat | Staff Welfare and Wellbeing Static Oo 
O3 Opp’ty | Expectations Gap Static © 
Table 2: Risk Watch List 

Ref | Type Risk Rating Rating Direction 
R46 | Threat | Financial Resilience Reducing | 
R84 | Threat | Major Incident Static © 
R10 | Threat | Statutory Codes Static Oo 
R61 | Threat | Litigation Resource Static << 
R72 | Threat | SMEs Static << 
R85 | Threat | Managing ICO Reputation Static << 
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Ref | Type Risk Rating Rating Direction 
R90 | Threat | Regulatory Action Static © 
R88 | Threat | Future role and structure of Static © 

ICO 
R89 | Threat | Compensation Static << 
5. Publication decision 
5.1 This report can be published externally and internally without 


redactions. 


Author: Chris Braithwaite 
Consultees: Joanne Butler. 


List of Annexes: Annex 1 - Risk Heat Map 


Annex 2 - Corporate Risk Review forms 
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Annex A: Risk Heat Map 


Very high 


Likelihood/ probability 


Medium 


Impact 


R4: Capacity and Capability 
R21: Cyber Security 

R26: Improving productivity 
R46: Financial Resilience 
R61: Litigation Resource 
R72: SMEs 

R73: Compliance Culture 
R81: Management Board 
Resilience 

R83: Staff Wellbeing 

R84: Major Incident 

R85: Managing ICO 
Reputation 

R86: Political and Economic 
Environment 

R87: International Position 
R88: Future Role and 
structure of ICO 

R89: Compensation 

R90: Regulatory Action 
R91: Targeted Regulatory 
Activity 

R93: Online Safety 

03: Expectations Gap 

O2: Service Excellence 
O71 Online Safety 


Note: scores for opportunities are the inverse of scores for risks and should travel from low to high as the opportunity is exploited. So opportunities in the green section of 


the heat map are being exploited poorly and opportunities in the red section are being exploited well. 
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